SQL Server Reporting Services (SSRS) 2008 and newer RSWindowsKerberos AuthenticationType and IE Blank Screen

I was working on an issue with SQL Server Reporting Services (SSRS) 2008R2 attempting to get a better understanding of an authentication issue.  I learned while working with IE9 and SSRS 2008R2 that you can't set the SSRS AuthenticationType to RSWindowsKerberos if you're using IE as a client. 

To provide further information on this, SSRS has various AuthenticationTypes that can be configured in rsreportserver.config.  The authentication type RSWindowsKerberos causes the SSRS server to request Kerberos authentication by sending a 'WWW-Authenticate: Kerberos' header to the client. In my case IE was the client and IE does not understand that header, so it stopped the conversation with the server and displayed a blank screen.

IE performs Kerberos authentication via the 'WWW-Authenticate: negotiate' header per RFC http://tools.ietf.org/html/rfc4559.  When IE receives a negotiate header, it will try Kerberos first, then if that does not work, back down to NTLM.  Therefore if IE is the client for your SSRS 2008 (or above) server, use an authentication type of RSWindowsNegotiate if you want to use Kerberos or RSWindowsNTLM if you want to force NTLM authentication.

Comments (0)

Skip to main content